Lan to lan VPN between RV325 ans ASA5505 Problem
Hi,
We have recently change our office router (Netgear) to an Cisco RV325.
So, i reconfigure the vpn connexion Lan to Lan, everything seams to work fine, cause the VPN get successfully connected.
in our back office on the ASA 5505 :
We see that the connexion is open.
but when i try to ping from my computer :
Or from a server on the backoffice
everything failed.
what is missing??
the configuration on the ASA has not change from Netgear to Cisco.
thank's in advance.
Hi Jouni.
Thanks for your quick reply.
1) In tunnel-group there is no typo. Let me explain, on Main ASA:
crypto map outside_map0 2 set peer 88.8.8.8 - WAN ip of Remote ASA (it should be right).
tunnel-group 99.9.9.9 type ipsec-l2l - 99.9.9.9 - is just a name of tunnel-group, and it should be the same on both side if I understand right. I can't use tunnel-group 88.8.8.8 on Main ASA as it's already used in Remote ASA with different PSK for other 2 remote vpns.
2) I'll remove ikev2, but at the moment it doesn't make any harm, so it shouldn't be a problem in that.
3)object network Remote_Network
host 192.168.55.1
description Remote NMC
object network Remote_Network2
subnet 10.1.11.0 255.255.255.0
description Remote Network 2
object network NETWORK_OBJ_192.168.110.0_24
subnet 192.168.110.0 255.255.255.0
object-group network Remote
description Remote network ranges
network-object object Remote_Network
network-object object Remote_Network2
This is a full config. So Remote_Network is a DMZ part of Remote network. I'm not worried about DMZ part now, as long as site-to-site would start working.
4) There are more tunnel-groups on both ASAs and they're all operational and active.
As I mentioned, on Remote ASA tunnel-group 88.8.8.8 is already in use, so I've created a
tunnel-group 99.9.9.9 type ipsec-l2l for a new VPN.
Hope, you're understanding better now. It may look complicated and I did some silly mistake, and somebody can correct me.
Thanks.
Similar Messages
-
Remote VPN between ASA5505 and Netscreen SSG140
Dears,
I'm trying to set up a VPN between an ASA 5505 and SSG40Juniper and the VPN keep flaping:
Nov 27 04:47:27 [IKEv1 DEBUG]Group = 89.XXX, IP = 89.XXX, NP encrypt rule look up for crypto map TEST 1 matching ACL ACL_VPN: returned cs_id=cd2e0998; encrypt_rule=cd39bd50; tunnelFlow_rule=cd488220
Nov 27 04:47:27 [IKEv1]Group = 89.XXX, IP = 89.XXX, Security negotiation complete for LAN-to-LAN Group (89.XXX) Responder, Inbound SPI = 0xb98f5dbe, Outbound SPI = 0xddd1484a
Nov 27 04:47:27 [IKEv1 DEBUG]Group = 89.XXX, IP = 89.XXX, IKE got a KEY_ADD msg for SA: SPI = 0xddd1484a
Nov 27 04:47:27 [IKEv1 DEBUG]Group = 89.XXX, IP = 89.XXX, Pitcher: received KEY_UPDATE, spi 0xb98f5dbe
Nov 27 04:47:27 [IKEv1 DEBUG]Group = 89.XXX, IP = 89.XXX, Starting P2 rekey timer: 3060 seconds.
Nov 27 04:47:27 [IKEv1]Group = 89.XXX, IP = 89.XXX, PHASE 2 COMPLETED (msgid=f46e307a)
Nov 27 04:47:31 [IKEv1]IKE Receiver: Packet received on 81.1XXX:500 from 89.XXX:500
Nov 27 04:47:31 [IKEv1]Group = 89.XXX, IP = 89.XXX, Duplicate Phase 2 packet detected. Retransmitting last packet.
Nov 27 04:47:31 [IKEv1]Group = 89.XXX, IP = 89.XXX, Responder resending lost, last msg
Nov 27 04:47:31 [IKEv1 DEBUG]Group = 89.XXX, IP = 89.XXX, Starting P2 rekey timer: 3056 seconds.
Nov 27 04:47:31 [IKEv1]Group = 89.XXX, IP = 89.XXX, PHASE 2 COMPLETED (msgid=f46e307a)
Nov 27 04:47:35 [IKEv1]IKE Receiver: Packet received on 81.XXX:500 from 89.XXX:500
Nov 27 04:47:35 [IKEv1]Group = 89.XXX, IP = 89.XXX, Duplicate Phase 2 packet detected. Retransmitting last packet.
Nov 27 04:47:35 [IKEv1]Group = 89.XXX, IP = 89.XXX, Responder resending lost, last msg
Nov 27 04:47:35 [IKEv1 DEBUG]Group = 89.XXX, IP = 89.XXX, Starting P2 rekey timer: 3052 seconds.
Nov 27 04:47:35 [IKEv1]Group = 89.XXX, IP = 89.XXX, PHASE 2 COMPLETED (msgid=f46e307a)
Nov 27 04:47:38 [IKEv1 DEBUG]Group = 89.XXX, IP = 89.XXX, Sending keep-alive of type DPD R-U-THERE (seq number 0x1a4070b7)
Nov 27 04:47:38 [IKEv1 DEBUG]Group = 89.XXX, IP = 89.XXX, constructing blank hash payload
Nov 27 04:47:38 [IKEv1 DEBUG]Group = 89.XXX, IP = 89.XXX, constructing qm hash payload
Nov 27 04:47:38 [IKEv1]IP = 89.XXX, IKE_DECODE SENDING Message (msgid=8977946c) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 80
Nov 27 04:47:38 [IKEv1]IKE Receiver: Packet received on 81.XXX:500 from 89.XXX:500
Nov 27 04:47:38 [IKEv1]IP = 89.XXX, IKE_DECODE RECEIVED Message (msgid=8e9a1247) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 80
Nov 27 04:47:38 [IKEv1 DEBUG]Group = 89.XXX, IP = 89.XXX, processing hash payload
Nov 27 04:47:38 [IKEv1 DEBUG]Group = 89.XXX, IP = 89.XXX, processing notify payload
Nov 27 04:47:38 [IKEv1 DEBUG]Group = 89.XXX, IP = 89.XXX, Received keep-alive of type DPD R-U-THERE-ACK (seq number 0x1a4070b7)
Nov 27 04:47:39 [IKEv1]IKE Receiver: Packet received on 81.XXX:500 from 89.XXX:500
Nov 27 04:47:39 [IKEv1]Group = 89.XXX, IP = 89.XXX, Duplicate Phase 2 packet detected. Retransmitting last packet.
Nov 27 04:47:39 [IKEv1]Group = 89.XXX, IP = 89.XXX, Responder resending lost, last msg
Nov 27 04:47:39 [IKEv1 DEBUG]Group = 89.XXX, IP = 89.XXX, Starting P2 rekey timer: 3048 seconds.
Nov 27 04:47:39 [IKEv1]Group = 89.XXX, IP = 89.XXX, PHASE 2 COMPLETED (msgid=f46e307a)
Nov 27 04:47:43 [IKEv1]IKE Receiver: Packet received on 81.XXX:500 from 89.XXX:500
Nov 27 04:47:43 [IKEv1]Group = 89.XXX, IP = 89.XXX, Duplicate Phase 2 packet detected. Retransmitting last packet.
Nov 27 04:47:43 [IKEv1]Group = 89.XXX, IP = 89.XXX, QM FSM error (P2 struct &0xcd58eee8, mess id 0xf46e307a)!
Nov 27 04:47:43 [IKEv1 DEBUG]Group = 89.XXX, IP = 89.XXX, IKE QM Responder FSM error history (struct &0xcd58eee8) <state>, <event>: QM_DONE, EV_ERROR-->QM_ACTIVE, EV_RESEND_MSG-->QM_ACTIVE, NullEvent-->QM_ACTIVE, EV_VM_START-->QM_ACTIVE, EV_ACTIVE-->QM_RSND_LST_MSG, EV_RESET_LIFETIME-->QM_RSND_LST_MSG, EV_IS_REKEY_SECS-->QM_RSND_LST_MSG, EV_RESEND_MSG
Nov 27 04:47:43 [IKEv1 DEBUG]Group = 89.XXX, IP = 89.XXX, sending delete/delete with reason message
Nov 27 04:47:43 [IKEv1 DEBUG]Group = 89.XXX, IP = 89.XXX, constructing blank hash payload
Nov 27 04:47:43 [IKEv1 DEBUG]Group = 89.XXX, IP = 89.XXX, constructing IPSec delete payload
Nov 27 04:47:43 [IKEv1 DEBUG]Group = 89.XXX, IP = 89.XXX, constructing qm hash payload
Nov 27 04:47:43 [IKEv1]IP = 89.XXX, IKE_DECODE SENDING Message (msgid=57422aa9) with payloads : HDR + HASH (8) + DELETE (12) + NONE (0) total length : 64
Nov 27 04:47:43 [IKEv1 DEBUG]Group = 89.XXX, IP = 89.XXX, IKE Deleting SA: Remote Proxy 172.24.0.0, Local Proxy 10.143.0.0
Nov 27 04:47:43 [IKEv1 DEBUG]Group = 89.XXX, IP = 89.XXX, IKE SA MM:08bcc57b rcv'd Terminate: state MM_ACTIVE flags 0x00000042, refcnt 1, tuncnt 0
Nov 27 04:47:43 [IKEv1 DEBUG]Group = 89.XXX, IP = 89.XXX, IKE SA MM:08bcc57b terminating: flags 0x01000002, refcnt 0, tuncnt 0
Nov 27 04:47:43 [IKEv1 DEBUG]Group = 89.XXX, IP = 89.XXX, sending delete/delete with reason message
Nov 27 04:47:43 [IKEv1 DEBUG]Group = 89.XXX, IP = 89.XXX, constructing blank hash payload
Nov 27 04:47:43 [IKEv1 DEBUG]Group = 89.XXX, IP = 89.XXX, constructing IKE delete payload
Nov 27 04:47:43 [IKEv1 DEBUG]Group = 89.XXX, IP = 89.XXX, constructing qm hash payload
Nov 27 04:47:43 [IKEv1]IP = 89.XXX, IKE_DECODE SENDING Message (msgid=c364409e) with payloads : HDR + HASH (8) + DELETE (12) + NONE (0) total length : 76
Nov 27 04:47:43 [IKEv1 DEBUG]Pitcher: received key delete msg, spi 0xb98f5dbe
Nov 27 04:47:43 [IKEv1 DEBUG]Pitcher: received key delete msg, spi 0xb98f5dbe
Nov 27 04:47:43 [IKEv1]Group = 89.XXX, IP = 89.XXX, Session is being torn down. Reason: Lost Service
Nov 27 04:47:43 [IKEv1]Ignoring msg to mark SA with dsID 1658880 dead because SA delete
On the Cisco side
crypto ipsec ikev1 transform-set ESP-3DES-ESP-MD5-HMAC esp-3des esp-md5-hmac
crypto ipsec security-association pmtu-aging infinite
crypto map TEST 1 match address ACL_VPN
crypto map TEST 1 set peer 89.XXX.XXX.XXX
crypto map TEST 1 set ikev1 transform-set ESP-3DES-ESP-MD5-HMAC
crypto map TEST interface outside
crypto ca trustpool policy
no crypto isakmp nat-traversal
crypto ikev1 enable outside
crypto ikev1 policy 1
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
access-list ACL_VPN extended permit ip 10.143.0.0 255.255.0.0 172.24.0.0 255.255.0.0
On the juniper side:
set ike gateway "TO_XXX_ASA" address 81.XXX.XXX.XXX Main outgoing-interface "ethernet0/2" preshare "XXXXXXX" proposal "pre-g2-3des-md5"
set vpn "DATACENTER_XXX_ASA" proxy-id local-ip 172.24.0.0/16 remote-ip 10.143.0.0/16 "ANY"
set vpn "DATACENTER_XXX_ASA" gateway "TO_XXX_ASA" no-replay tunnel idletime 0 proposal "nopfs-esp-3des-md5"
set vpn "DATACENTER_XXX_ASA" monitor optimized rekey
set vpn "DATACENTER_XXX_ASA" id 0x78 bind interface tunnel.2
set vpn "DATACENTER_XXX_ASA" gateway "TO_XXX_ASA" no-replay tunnel idletime 0 proposal "nopfs-esp-3des-md5"
set vpn "DATACENTER_XXX_ASA" monitor source-interface ethernet0/2 destination-ip 10.143.0.1 optimized rekey
set vpn "DATACENTER_XXX_ASA" id 0x7b bind interface tunnel.2
PFS is disabled.
Any idea why I receive these errors?
Duplicate Phase 2 packet detected. Retransmitting last packet.
QM FSM error (P2 struct &0xcd58eee8, mess id 0xf46e307a)!Hey,
anybody any idea on this problem? We encountered this problem also.
i can see in ASA log that phase1 is completed.
after that we get the msg for phase2 completed.
but followed with a "responder resending lost, last msg" this 3 times, than a QM FSM error and the tunnel being shut down on our end.
the other side, is getting an active SA, but ofc not working.
any idea?
5 Jan 23 2015 14:59:14 713120 Group = xx.xx.xx.xx, IP = xx.xx.xx.xx, PHASE 2 COMPLETED (msgid=440ce73e)
7 Jan 23 2015 14:59:18 713906 IKE Receiver: Packet received on yy.yy.yy.yy:500 from xx.xx.xx.xx:500
5 Jan 23 2015 14:59:18 713201 Group = xx.xx.xx.xx, IP = xx.xx.xx.xx, Duplicate Phase 2 packet detected. Retransmitting last packet.
6 Jan 23 2015 14:59:18 713905 Group = xx.xx.xx.xx, IP = xx.xx.xx.xx, Responder resending lost, last msg
7 Jan 23 2015 14:59:18 715080 Group = xx.xx.xx.xx, IP = xx.xx.xx.xx, Starting P2 rekey timer: 27357 seconds.
5 Jan 23 2015 14:59:18 713120 Group = xx.xx.xx.xx, IP = xx.xx.xx.xx, PHASE 2 COMPLETED (msgid=440ce73e)
3x times
3 Jan 23 2015 14:59:30 713902 Group = xx.xx.xx.xx, IP = xx.xx.xx.xx, QM FSM error (P2 struct &0x00007fff2a9921f0, mess id 0x440ce73e)!
with kind regards,
Bernd -
Configuration help for 2nd lan to lan vpn link
Hello,
I have successfully configured a lan to lan vpn link between two offices. I am attempting to add another link to a 3rd office from my home office but am having some trouble. I have attached my configuration and am hoping someone can help me fix my problem. Right now I have a working vpn to 172.16.0.0/24 network and am trying to set up the link to 172.16.3.0/24 as well. To the new vpn connection I can ping the outside interfaces but can't ping anything internally.
Thanks for your time and help,
JasonJason
There is one significant mistake that is easy to fix. You have correctly created a second instance of the crypto map to create a VPN tunnel to the second site. But as currently configured both instances of the crypto map use the same access list:
crypto map clientmap 1 ipsec-isakmp
match address 100
crypto map clientmap 5 ipsec-isakmp
match address 100
But each VPN session/tunnel needs its own access list. So I suggest that you make the following changes:
crypto map clientmap 5 ipsec-isakmp
match address 101
no access-list 100
access-list 100 permit ip 192.168.0.0 0.0.0.255 172.16.0.0 0.0.0.255
access-list 101 permit ip 192.168.0.0 0.0.0.255 172.16.3.0 0.0.0.255
This provides a separate access list for each session/tunnel and should resolve that issue. Give it a try and let us know the result.
HTH
Rick -
Remote access VPN access across LAN-to-LAN VPN
I have two sites (site 1 & site 2) connected by a LAN-to-LAN VPN. At site 1, users connect with a remote access VPN and need to be able to access resources at site 2.
I started out with same-security-traffic intra-interface configured.
Here is the output from both ASAs:
NM-ASA# show crypto isakmp sa
Active SA: 6
Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 6
1 IKE Peer: 3.3.3.3
Type : L2L Role : initiator
Rekey : no State : MM_ACTIVE
2 IKE Peer: 74.138.171.237
Type : user Role : responder
Rekey : no State : AM_ACTIVE
3 IKE Peer: 96.28.201.133
Type : user Role : responder
Rekey : no State : AM_ACTIVE
4 IKE Peer: 1.1.1.1
Type : L2L Role : initiator
Rekey : no State : MM_ACTIVE
5 IKE Peer: 74.138.126.195
Type : user Role : responder
Rekey : no State : AM_ACTIVE
6 IKE Peer: 96.28.201.133
Type : user Role : responder
Rekey : no State : AM_ACTIVE
NM-ASA#
NM-ASA# sho crypto ipsec sa
interface: outside
Crypto map tag: SYSTEM_DEFAULT_CRYPTO_MAP, seq num: 65535, local addr: 2.2.2.2
local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
remote ident (addr/mask/prot/port): (10.1.20.5/255.255.255.255/0/0)
current_peer: 96.28.201.133, username: joneal
dynamic allocated peer ip: 10.1.20.5
#pkts encaps: 50, #pkts encrypt: 50, #pkts digest: 50
#pkts decaps: 33, #pkts decrypt: 33, #pkts verify: 33
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 50, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: 2.2.2.2, remote crypto endpt.: 96.28.201.133
path mtu 1500, ipsec overhead 74, media mtu 1500
current outbound spi: 5E0D76C9
inbound esp sas:
spi: 0x969790AD (2526515373)
transform: esp-aes esp-sha-hmac no compression
in use settings ={RA, Tunnel, }
slot: 0, conn_id: 315392, crypto-map: SYSTEM_DEFAULT_CRYPTO_MAP
sa timing: remaining key lifetime (sec): 28618
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0x00000003 0xFFFFFFFF
outbound esp sas:
spi: 0x5E0D76C9 (1577940681)
transform: esp-aes esp-sha-hmac no compression
in use settings ={RA, Tunnel, }
slot: 0, conn_id: 315392, crypto-map: SYSTEM_DEFAULT_CRYPTO_MAP
sa timing: remaining key lifetime (sec): 28618
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
Crypto map tag: SYSTEM_DEFAULT_CRYPTO_MAP, seq num: 65535, local addr: 2.2.2.2
local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
remote ident (addr/mask/prot/port): (10.1.20.6/255.255.255.255/0/0)
current_peer: 96.28.201.133, username: joneal
dynamic allocated peer ip: 10.1.20.6
#pkts encaps: 1368, #pkts encrypt: 1368, #pkts digest: 1368
#pkts decaps: 945, #pkts decrypt: 945, #pkts verify: 945
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 1368, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: 2.2.2.2, remote crypto endpt.: 96.28.201.133
path mtu 1500, ipsec overhead 74, media mtu 1500
current outbound spi: 968FF103
inbound esp sas:
spi: 0xA49C8920 (2761722144)
transform: esp-aes esp-sha-hmac no compression
in use settings ={RA, Tunnel, }
slot: 0, conn_id: 331776, crypto-map: SYSTEM_DEFAULT_CRYPTO_MAP
sa timing: remaining key lifetime (sec): 28703
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0xFFFFFFFF 0xFFFFFFFF
outbound esp sas:
spi: 0x968FF103 (2526015747)
transform: esp-aes esp-sha-hmac no compression
in use settings ={RA, Tunnel, }
slot: 0, conn_id: 331776, crypto-map: SYSTEM_DEFAULT_CRYPTO_MAP
sa timing: remaining key lifetime (sec): 28702
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
Crypto map tag: vpnmap, seq num: 20, local addr: 2.2.2.2
access-list peak10-vpn permit ip 192.168.100.0 255.255.255.0 172.16.0.0 255.255.255.0
local ident (addr/mask/prot/port): (192.168.100.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (172.16.0.0/255.255.255.0/0/0)
current_peer: 3.3.3.3
#pkts encaps: 352, #pkts encrypt: 352, #pkts digest: 352
#pkts decaps: 270, #pkts decrypt: 270, #pkts verify: 270
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 352, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: 2.2.2.2, remote crypto endpt.: 3.3.3.3
path mtu 1500, ipsec overhead 58, media mtu 1500
current outbound spi: 773AB6C7
inbound esp sas:
spi: 0xD34E0435 (3545105461)
transform: esp-3des esp-sha-hmac no compression
in use settings ={L2L, Tunnel, PFS Group 2, }
slot: 0, conn_id: 303104, crypto-map: vpnmap
sa timing: remaining key lifetime (kB/sec): (3914940/28605)
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0xFFFFFFFF 0xFFFFFFFF
outbound esp sas:
spi: 0x773AB6C7 (2000336583)
transform: esp-3des esp-sha-hmac no compression
in use settings ={L2L, Tunnel, PFS Group 2, }
slot: 0, conn_id: 303104, crypto-map: vpnmap
sa timing: remaining key lifetime (kB/sec): (3914941/28605)
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
Crypto map tag: vpnmap, seq num: 20, local addr: 2.2.2.2
access-list peak10-vpn permit ip 192.168.128.0 255.255.224.0 172.16.0.0 255.255.255.0
local ident (addr/mask/prot/port): (192.168.128.0/255.255.224.0/0/0)
remote ident (addr/mask/prot/port): (172.16.0.0/255.255.255.0/0/0)
current_peer: 3.3.3.3
#pkts encaps: 26, #pkts encrypt: 26, #pkts digest: 26
#pkts decaps: 24, #pkts decrypt: 24, #pkts verify: 24
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 26, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: 2.2.2.2, remote crypto endpt.: 3.3.3.3
path mtu 1500, ipsec overhead 58, media mtu 1500
current outbound spi: 66CD02A3
inbound esp sas:
spi: 0x531B430A (1394295562)
transform: esp-3des esp-sha-hmac no compression
in use settings ={L2L, Tunnel, PFS Group 2, }
slot: 0, conn_id: 303104, crypto-map: vpnmap
sa timing: remaining key lifetime (kB/sec): (3914990/28666)
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x01FFFFFF
outbound esp sas:
spi: 0x66CD02A3 (1724711587)
transform: esp-3des esp-sha-hmac no compression
in use settings ={L2L, Tunnel, PFS Group 2, }
slot: 0, conn_id: 303104, crypto-map: vpnmap
sa timing: remaining key lifetime (kB/sec): (3914990/28666)
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
Crypto map tag: SYSTEM_DEFAULT_CRYPTO_MAP, seq num: 65535, local addr: 2.2.2.2
local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
remote ident (addr/mask/prot/port): (10.1.20.7/255.255.255.255/0/0)
current_peer: 74.138.126.195, username: jnord
dynamic allocated peer ip: 10.1.20.7
#pkts encaps: 990, #pkts encrypt: 990, #pkts digest: 990
#pkts decaps: 1429, #pkts decrypt: 1429, #pkts verify: 1429
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 990, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors: 3
local crypto endpt.: 2.2.2.2, remote crypto endpt.: 74.138.126.195
path mtu 1500, ipsec overhead 74, media mtu 1500
current outbound spi: 62241B76
inbound esp sas:
spi: 0xB1F2F97B (2985490811)
transform: esp-aes esp-sha-hmac no compression
in use settings ={RA, Tunnel, }
slot: 0, conn_id: 327680, crypto-map: SYSTEM_DEFAULT_CRYPTO_MAP
sa timing: remaining key lifetime (sec): 28674
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0xFFFFFFFF 0xFFFFFFFF
outbound esp sas:
spi: 0x62241B76 (1646533494)
transform: esp-aes esp-sha-hmac no compression
in use settings ={RA, Tunnel, }
slot: 0, conn_id: 327680, crypto-map: SYSTEM_DEFAULT_CRYPTO_MAP
sa timing: remaining key lifetime (sec): 28674
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
Crypto map tag: SYSTEM_DEFAULT_CRYPTO_MAP, seq num: 65535, local addr: 2.2.2.2
local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
remote ident (addr/mask/prot/port): (10.1.20.4/255.255.255.255/0/0)
current_peer: 74.138.171.237, username: cbulmahn
dynamic allocated peer ip: 10.1.20.4
#pkts encaps: 832, #pkts encrypt: 832, #pkts digest: 832
#pkts decaps: 620, #pkts decrypt: 620, #pkts verify: 620
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 832, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: 2.2.2.2, remote crypto endpt.: 74.138.171.237
path mtu 1500, ipsec overhead 74, media mtu 1500
current outbound spi: 64CD5FBE
inbound esp sas:
spi: 0xCDFCE528 (3455903016)
transform: esp-aes esp-sha-hmac no compression
in use settings ={RA, Tunnel, }
slot: 0, conn_id: 311296, crypto-map: SYSTEM_DEFAULT_CRYPTO_MAP
sa timing: remaining key lifetime (sec): 28613
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0xFFFFFFFF 0xFFFFFFFF
outbound esp sas:
spi: 0x64CD5FBE (1691180990)
transform: esp-aes esp-sha-hmac no compression
in use settings ={RA, Tunnel, }
slot: 0, conn_id: 311296, crypto-map: SYSTEM_DEFAULT_CRYPTO_MAP
sa timing: remaining key lifetime (sec): 28613
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
Crypto map tag: vpnmap, seq num: 10, local addr: 2.2.2.2
access-list sg-vpn permit ip 192.168.100.0 255.255.255.0 192.168.0.0 255.255.192.0
local ident (addr/mask/prot/port): (192.168.100.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (192.168.0.0/255.255.192.0/0/0)
current_peer: 1.1.1.1
#pkts encaps: 5228, #pkts encrypt: 5228, #pkts digest: 5228
#pkts decaps: 5246, #pkts decrypt: 5246, #pkts verify: 5246
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 5229, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: 2.2.2.2, remote crypto endpt.: 1.1.1.1
path mtu 1500, ipsec overhead 58, media mtu 1500
current outbound spi: 3200F1CB
inbound esp sas:
spi: 0x10DEE5CE (283043278)
transform: esp-3des esp-sha-hmac no compression
in use settings ={L2L, Tunnel, PFS Group 2, }
slot: 0, conn_id: 319488, crypto-map: vpnmap
sa timing: remaining key lifetime (kB/sec): (4373446/28613)
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0xFFFFFFFF 0xFFFFFFFF
outbound esp sas:
spi: 0x3200F1CB (838922699)
transform: esp-3des esp-sha-hmac no compression
in use settings ={L2L, Tunnel, PFS Group 2, }
slot: 0, conn_id: 319488, crypto-map: vpnmap
sa timing: remaining key lifetime (kB/sec): (4373496/28613)
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
Crypto map tag: vpnmap, seq num: 10, local addr: 2.2.2.2
access-list sg-vpn permit ip 192.168.111.0 255.255.255.0 192.168.0.0 255.255.192.0
local ident (addr/mask/prot/port): (192.168.111.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (192.168.0.0/255.255.192.0/0/0)
current_peer: 1.1.1.1
#pkts encaps: 321, #pkts encrypt: 321, #pkts digest: 321
#pkts decaps: 296, #pkts decrypt: 296, #pkts verify: 296
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 321, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: 2.2.2.2, remote crypto endpt.: 1.1.1.1
path mtu 1500, ipsec overhead 58, media mtu 1500
current outbound spi: EC77AF32
inbound esp sas:
spi: 0x16C7E578 (382199160)
transform: esp-3des esp-sha-hmac no compression
in use settings ={L2L, Tunnel, PFS Group 2, }
slot: 0, conn_id: 319488, crypto-map: vpnmap
sa timing: remaining key lifetime (kB/sec): (4373950/28636)
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0xFFFFFFFF 0xFFFFFFFF
outbound esp sas:
spi: 0xEC77AF32 (3967266610)
transform: esp-3des esp-sha-hmac no compression
in use settings ={L2L, Tunnel, PFS Group 2, }
slot: 0, conn_id: 319488, crypto-map: vpnmap
sa timing: remaining key lifetime (kB/sec): (4373936/28636)
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
Crypto map tag: vpnmap, seq num: 10, local addr: 2.2.2.2
access-list sg-vpn permit ip 192.168.112.0 255.255.240.0 192.168.0.0 255.255.192.0
local ident (addr/mask/prot/port): (192.168.112.0/255.255.240.0/0/0)
remote ident (addr/mask/prot/port): (192.168.0.0/255.255.192.0/0/0)
current_peer: 1.1.1.1
#pkts encaps: 2910, #pkts encrypt: 2910, #pkts digest: 2910
#pkts decaps: 3794, #pkts decrypt: 3794, #pkts verify: 3794
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 2996, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: 2.2.2.2, remote crypto endpt.: 1.1.1.1
path mtu 1500, ipsec overhead 58, media mtu 1500
current outbound spi: EEDD3278
inbound esp sas:
spi: 0x9FAA12E6 (2678723302)
transform: esp-3des esp-sha-hmac no compression
in use settings ={L2L, Tunnel, PFS Group 2, }
slot: 0, conn_id: 319488, crypto-map: vpnmap
sa timing: remaining key lifetime (kB/sec): (4370659/28610)
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0xFFFFFFFF 0xFFFFFFFF
outbound esp sas:
spi: 0xEEDD3278 (4007473784)
transform: esp-3des esp-sha-hmac no compression
in use settings ={L2L, Tunnel, PFS Group 2, }
slot: 0, conn_id: 319488, crypto-map: vpnmap
sa timing: remaining key lifetime (kB/sec): (4373556/28610)
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
Crypto map tag: vpnmap, seq num: 10, local addr: 2.2.2.2
access-list sg-vpn permit ip 192.168.128.0 255.255.224.0 192.168.0.0 255.255.192.0
local ident (addr/mask/prot/port): (192.168.128.0/255.255.224.0/0/0)
remote ident (addr/mask/prot/port): (192.168.0.0/255.255.192.0/0/0)
current_peer: 1.1.1.1
#pkts encaps: 3034, #pkts encrypt: 3034, #pkts digest: 3034
#pkts decaps: 3748, #pkts decrypt: 3748, #pkts verify: 3748
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 3034, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: 2.2.2.2, remote crypto endpt.: 1.1.1.1
path mtu 1500, ipsec overhead 58, media mtu 1500
current outbound spi: D1F3CBED
inbound esp sas:
spi: 0x7C688B5D (2087226205)
transform: esp-3des esp-sha-hmac no compression
in use settings ={L2L, Tunnel, PFS Group 2, }
slot: 0, conn_id: 319488, crypto-map: vpnmap
sa timing: remaining key lifetime (kB/sec): (4370712/28609)
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0xFFFFFFFF 0xFFFFFFFF
outbound esp sas:
spi: 0xD1F3CBED (3522415597)
transform: esp-3des esp-sha-hmac no compression
in use settings ={L2L, Tunnel, PFS Group 2, }
slot: 0, conn_id: 319488, crypto-map: vpnmap
sa timing: remaining key lifetime (kB/sec): (4373429/28609)
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
NM-ASA#
QSRCORPFW# sho crypto isakmp sa
Active SA: 2
Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 2
1 IKE Peer: 3.3.3.3
Type : L2L Role : initiator
Rekey : no State : MM_ACTIVE
2 IKE Peer: 2.2.2.2
Type : L2L Role : responder
Rekey : no State : MM_ACTIVE
QSRCORPFW# sho crypto ipsec sa
interface: WAN
Crypto map tag: outside_map, seq num: 1, local addr: 1.1.1.1
access-list PEAK10VPN permit ip 192.168.0.0 255.255.192.0 172.16.0.0 255.255.255.0
local ident (addr/mask/prot/port): (192.168.0.0/255.255.192.0/0/0)
remote ident (addr/mask/prot/port): (172.16.0.0/255.255.255.0/0/0)
current_peer: 3.3.3.3
#pkts encaps: 2162, #pkts encrypt: 2162, #pkts digest: 2162
#pkts decaps: 1761, #pkts decrypt: 1761, #pkts verify: 1761
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 2162, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: 1.1.1.1, remote crypto endpt.: 3.3.3.3
path mtu 1500, ipsec overhead 58, media mtu 1500
current outbound spi: BDC6A8EE
inbound esp sas:
spi: 0x966B78C0 (2523625664)
transform: esp-3des esp-sha-hmac no compression
in use settings ={L2L, Tunnel, PFS Group 2, }
slot: 0, conn_id: 6328320, crypto-map: outside_map
sa timing: remaining key lifetime (kB/sec): (3914547/28485)
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0xFFFFFFFF 0xFFFFFFFF
outbound esp sas:
spi: 0xBDC6A8EE (3183913198)
transform: esp-3des esp-sha-hmac no compression
in use settings ={L2L, Tunnel, PFS Group 2, }
slot: 0, conn_id: 6328320, crypto-map: outside_map
sa timing: remaining key lifetime (kB/sec): (3914652/28485)
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
Crypto map tag: outside_dyn_map, seq num: 20, local addr: 1.1.1.1
local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
remote ident (addr/mask/prot/port): (10.1.10.6/255.255.255.255/0/0)
current_peer: 74.128.145.69, username: administrator
dynamic allocated peer ip: 10.1.10.6
#pkts encaps: 10, #pkts encrypt: 10, #pkts digest: 10
#pkts decaps: 16, #pkts decrypt: 16, #pkts verify: 16
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 10, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: 1.1.1.1, remote crypto endpt.: 74.128.145.69
path mtu 1500, ipsec overhead 58, media mtu 1500
current outbound spi: 0ED4D561
inbound esp sas:
spi: 0x70133356 (1880306518)
transform: esp-3des esp-sha-hmac no compression
in use settings ={RA, Tunnel, }
slot: 0, conn_id: 6332416, crypto-map: outside_dyn_map
sa timing: remaining key lifetime (sec): 28521
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x0001FFFF
outbound esp sas:
spi: 0x0ED4D561 (248829281)
transform: esp-3des esp-sha-hmac no compression
in use settings ={RA, Tunnel, }
slot: 0, conn_id: 6332416, crypto-map: outside_dyn_map
sa timing: remaining key lifetime (sec): 28508
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
Crypto map tag: outside_map, seq num: 2, local addr: 1.1.1.1
access-list outside_2_cryptomap permit ip 192.168.0.0 255.255.192.0 192.168.111.0 255.255.255.0
local ident (addr/mask/prot/port): (192.168.0.0/255.255.192.0/0/0)
remote ident (addr/mask/prot/port): (192.168.111.0/255.255.255.0/0/0)
current_peer: 2.2.2.2
#pkts encaps: 350, #pkts encrypt: 350, #pkts digest: 350
#pkts decaps: 379, #pkts decrypt: 379, #pkts verify: 379
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 350, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: 1.1.1.1, remote crypto endpt.: 2.2.2.2
path mtu 1500, ipsec overhead 58, media mtu 1500
current outbound spi: 16C7E578
inbound esp sas:
spi: 0xEC77AF32 (3967266610)
transform: esp-3des esp-sha-hmac no compression
in use settings ={L2L, Tunnel, PFS Group 2, }
slot: 0, conn_id: 6324224, crypto-map: outside_map
sa timing: remaining key lifetime (kB/sec): (3914923/28493)
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0xFFFFFFFF 0xFFFFFFFF
outbound esp sas:
spi: 0x16C7E578 (382199160)
transform: esp-3des esp-sha-hmac no compression
in use settings ={L2L, Tunnel, PFS Group 2, }
slot: 0, conn_id: 6324224, crypto-map: outside_map
sa timing: remaining key lifetime (kB/sec): (3914939/28493)
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
Crypto map tag: outside_map, seq num: 2, local addr: 1.1.1.1
access-list outside_2_cryptomap permit ip 192.168.0.0 255.255.192.0 192.168.112.0 255.255.240.0
local ident (addr/mask/prot/port): (192.168.0.0/255.255.192.0/0/0)
remote ident (addr/mask/prot/port): (192.168.112.0/255.255.240.0/0/0)
current_peer: 2.2.2.2
#pkts encaps: 5270, #pkts encrypt: 5270, #pkts digest: 5270
#pkts decaps: 4314, #pkts decrypt: 4314, #pkts verify: 4314
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 5270, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: 1.1.1.1, remote crypto endpt.: 2.2.2.2
path mtu 1500, ipsec overhead 58, media mtu 1500
current outbound spi: 9FAA12E6
inbound esp sas:
spi: 0xEEDD3278 (4007473784)
transform: esp-3des esp-sha-hmac no compression
in use settings ={L2L, Tunnel, PFS Group 2, }
slot: 0, conn_id: 6324224, crypto-map: outside_map
sa timing: remaining key lifetime (kB/sec): (3914358/28463)
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0xFFFFFFFF 0xFFFFFFFF
outbound esp sas:
spi: 0x9FAA12E6 (2678723302)
transform: esp-3des esp-sha-hmac no compression
in use settings ={L2L, Tunnel, PFS Group 2, }
slot: 0, conn_id: 6324224, crypto-map: outside_map
sa timing: remaining key lifetime (kB/sec): (3911355/28463)
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
Crypto map tag: outside_map, seq num: 2, local addr: 1.1.1.1
access-list outside_2_cryptomap permit ip 192.168.0.0 255.255.192.0 192.168.100.0 255.255.255.0
local ident (addr/mask/prot/port): (192.168.0.0/255.255.192.0/0/0)
remote ident (addr/mask/prot/port): (192.168.100.0/255.255.255.0/0/0)
current_peer: 2.2.2.2
#pkts encaps: 11323, #pkts encrypt: 11323, #pkts digest: 11323
#pkts decaps: 11262, #pkts decrypt: 11262, #pkts verify: 11262
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 11323, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: 1.1.1.1, remote crypto endpt.: 2.2.2.2
path mtu 1500, ipsec overhead 58, media mtu 1500
current outbound spi: 10DEE5CE
inbound esp sas:
spi: 0x3200F1CB (838922699)
transform: esp-3des esp-sha-hmac no compression
in use settings ={L2L, Tunnel, PFS Group 2, }
slot: 0, conn_id: 6324224, crypto-map: outside_map
sa timing: remaining key lifetime (kB/sec): (3914033/28461)
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0xFFFFFFFF 0xFFFFFFFF
outbound esp sas:
spi: 0x10DEE5CE (283043278)
transform: esp-3des esp-sha-hmac no compression
in use settings ={L2L, Tunnel, PFS Group 2, }
slot: 0, conn_id: 6324224, crypto-map: outside_map
sa timing: remaining key lifetime (kB/sec): (3913939/28459)
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
Crypto map tag: outside_map, seq num: 2, local addr: 1.1.1.1
access-list outside_2_cryptomap permit ip 192.168.0.0 255.255.192.0 192.168.128.0 255.255.224.0
local ident (addr/mask/prot/port): (192.168.0.0/255.255.192.0/0/0)
remote ident (addr/mask/prot/port): (192.168.128.0/255.255.224.0/0/0)
current_peer: 2.2.2.2
#pkts encaps: 4206, #pkts encrypt: 4206, #pkts digest: 4206
#pkts decaps: 3490, #pkts decrypt: 3490, #pkts verify: 3490
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 4206, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: 1.1.1.1, remote crypto endpt.: 2.2.2.2
path mtu 1500, ipsec overhead 58, media mtu 1500
current outbound spi: 7C688B5D
inbound esp sas:
spi: 0xD1F3CBED (3522415597)
transform: esp-3des esp-sha-hmac no compression
in use settings ={L2L, Tunnel, PFS Group 2, }
slot: 0, conn_id: 6324224, crypto-map: outside_map
sa timing: remaining key lifetime (kB/sec): (3914326/28457)
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0xFFFFFFFF 0xFFFFFFFF
outbound esp sas:
spi: 0x7C688B5D (2087226205)
transform: esp-3des esp-sha-hmac no compression
in use settings ={L2L, Tunnel, PFS Group 2, }
slot: 0, conn_id: 6324224, crypto-map: outside_map
sa timing: remaining key lifetime (kB/sec): (3911559/28457)
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
QSRCORPFW# -
VPN between ASA5505 Easy VPN Server and 881G Router as Easy VPN Client
Hello,
I have problem in VPN between ASA5505 Easy VPN Server and 881G Router as Easy VPN Client. ASA 5505 have 7.2.3 software and 881G router have 15.1 software.
881G is configured as hardware client in network exstention mode, and it is placed behind NAT. ASA5505 is working as server. Same VPN Group works correctly from VPN software clients.
When I send traffic from 881G client side, in show cryto sessin detail I see encrypted packets. But with same command I dont see decrypted packet on ASA5505 side. On both devices Phase 1 and Phase 2 are UP.
VPN is working when I replace ASA5505 with ASA5510 correctly with have 8.4.6 software. But problem is that i need to do this VPN between ASA5505 and 881G.
Can you help me, how can I debug or troubleshoot this problem ?
I am unable to update software on ASA5505 side.Hello,
Hire is what my config look like:
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto dynamic-map outside_dyn_map 20 set pfs
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 40 set pfs
crypto dynamic-map outside_dyn_map 40 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 60 set pfs
crypto dynamic-map outside_dyn_map 60 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 80 set pfs
crypto dynamic-map outside_dyn_map 80 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 100 set pfs
crypto dynamic-map outside_dyn_map 100 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 120 set pfs
crypto dynamic-map outside_dyn_map 120 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 140 set pfs
crypto dynamic-map outside_dyn_map 140 set transform-set ESP-AES-128-SHA
crypto dynamic-map outside_dyn_map 160 set pfs
crypto dynamic-map outside_dyn_map 160 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 180 set pfs
crypto dynamic-map outside_dyn_map 180 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 200 set pfs
crypto dynamic-map outside_dyn_map 200 set transform-set ESP-AES-256-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 1
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp policy 2
authentication pre-share
encryption 3des
hash sha
group 1
lifetime 86400
crypto isakmp policy 3
authentication pre-share
encryption des
hash sha
group 2
lifetime 86400
tunnel-group HW-CLIENT-GROUPR type ipsec-ra
tunnel-group HW-CLIENT-GROUP general-attributes
address-pool HW-CLIENT-GROUP-POOL
default-group-policy HW-CLIENT-GROUP
tunnel-group HW-CLIENT-GROUP ipsec-attributes
pre-shared-key *******
group-policy HW-CLIENT-GROUP internal
group-policy HW-CLIENT-GROUP attributes
password-storage enable
split-tunnel-policy tunnelspecified
split-tunnel-network-list value cisco_splitTunnelAcl
nem enable -
Use client VPN tunnel to traverse LAN-to-LAN tunnel
I've been troubleshooting a problem and can't get over a hurdle. The ASA is running ASA running 7.2(1)24 code. I'm trying to use a client VPN tunnel to connect to the ASA. The ASA already has a LAN-to-LAN tunnel set up and functioning, and I need the client VPN to access the remote site over the LAN-to-LAN tunnel.
The internal IP address of the local side is 192.168.0.0/24 and the IP of the remote LAN-to-LAN tunnel is 172.20.1.0/24. The clients are handed out 192.168.200.0/24 IPs. I've attached the relevant configuration for the ASA.
When the client VPNs into the network, I can access the resources on the ASA's internal network. Users on the ASA's internal network can access resources across the LAN-to-LAN tunnel. Client VPNs cannot access resources over the LAN-to-LAN tunnel. For the latter, there are no hits on the C-TEST access list.
Thank you for your assistance.try adding...
same-security-traffic permit intra-interface
http://www.cisco.com/en/US/products/ps6120/products_configuration_guide_chapter09186a00806370f2.html#wp1042114 -
AAA accounting of Lan-to-Lan VPN connections on a 3005 Concentrator
Hello all,
I am trying to do AAA accounting for the Lan-to-Lan connections on a 3005 VPN concentrator. It does not seem to work. For incoming VPN client connections, it's working ok, I see the 3005 sending accounting data to our radius server. But nothig is sent for Lan-to-Lan connections.
Any ideas ? Is this not supported on the 3005 ?
Thanks,
StefanOk, I have updated the image and now I can access all the SNMP info that was not there before. As before, no AAA data is sent for Lan-to-Lan connections and you only have access to current connection info via SNMP. So no historical data. But still, I can make a script that posts on a webpage the current connections, so people with no access to the concentrator can see it.
I see something weird tho, the snmpwalk is very slow. If I try to walk the interfaces.ifTable for example, it's very slow, one line every second. Must be something from the concentrator because the same snmpwalk on another router is very fast. Walking through the active vpn list takes longer than walking through the whole snmp tree on another router.
I only found something about SNMP reuqests queued ... but that didn't help. Any idea how I can speed up the snmp replies ?
Thanks,
Stefan -
Asa 5505 site to site VPN between A to B site, then B site MPLS to internal network
Dear all
I am setting up site to site VPN between two site A to B site. Two local site of A and B are connected fine. however for my site B have another internal MPLS to other site. The connection fine from LAN A all the way to LAN B MPLS router, but it cannot be connect to other MPLS site. If I did the MPLS traceroute from other site. It can be reached of LAN B internal router. Therefore, I am confusing which part of my configuration go wrong and any document for my reference. Thank you very much.
Local LAN A (5505 ASA)---------(5505 ASA) Local LAN B-----------B Internal router---------B MPLS router-------------other site.
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>xxxxxxxxxxxxxxxDear Harish
for LAN B MPLS. All 11.20.0.0/16 will route to LAN B internal router 10.14.128.252
If traceroute from other 11.0.0.0 site to 11.20.128.250, it can reach until LAN B ASA 11.14.127.223
11.20.128.250 11.14.128.223 11.14.128.252 11.14.128.253 11.0.0.0
Local LAN A (5505 ASA)---------(5505 ASA) Local LAN B-----------B Internal router---------B MPLS router-------------other site.
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>xxxxxxxxxxxxxxx
if traceroute from 10.20.0.0, it can reach until LAN B MPLS router 11.14.128.253
For config file post. Can I have your email address to direct send to you. Thank you very much. -
Site to Site VPN between ASA 5505 and Juniper SSG140 no traffic
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
switchport access vlan 3
interface Ethernet0/2
switchport trunk allowed vlan 20-21,24,28,212-214,227,232-236,254-256
switchport mode trunk
interface Ethernet0/3
switchport trunk allowed vlan 20-21,24,28,212-214,227,232-236,254-256
switchport mode trunk
interface Ethernet0/4
switchport trunk allowed vlan 20-21,24,28,212-214,227,232-236,254-256
switchport mode trunk
interface Ethernet0/5
switchport trunk allowed vlan 20-21,24,28,212-214,227,232-236,254-256
switchport mode trunk
interface Ethernet0/6
switchport trunk allowed vlan 20-21,24,28,212-214,227,232-236,254-256
switchport mode trunk
interface Ethernet0/7
switchport access vlan 250
interface Vlan2
nameif outside
security-level 0
ip address 81.XXX.XXX.XXX 255.255.255.252
interface Vlan3
nameif OUTSIDE_BACK
security-level 0
ip address 41.XXX.XXX.XXX 255.255.255.248
interface Vlan20
nameif XXX
security-level 80
ip address 10.143.0.1 255.255.255.0 standby 10.143.0.2
interface Vlan21
nameif XXX
security-level 90
ip address 10.143.1.1 255.255.255.0 standby 10.143.1.2
interface Vlan24
nameif XXX
security-level 80
ip address 10.143.4.1 255.255.255.0 standby 10.143.4.2
interface Vlan28
nameif XXX
security-level 80
ip address 10.143.8.1 255.255.255.0 standby 10.143.8.2
interface Vlan212
nameif SELF
security-level 80
ip address 10.143.12.1 255.255.255.0 standby 10.143.12.2
interface Vlan213
nameif XXX
security-level 80
ip address 10.143.13.1 255.255.255.0 standby 10.143.13.2
interface Vlan214
nameif BIOFR
security-level 80
ip address 10.143.14.1 255.255.255.0 standby 10.143.14.2
interface Vlan232
nameif MNGT
security-level 80
ip address 10.143.32.1 255.255.255.0 standby 10.143.32.2
interface Vlan233
nameif XXX
security-level 80
ip address 10.143.33.1 255.255.255.0 standby 10.143.33.2
interface Vlan234
nameif XXX
security-level 80
ip address 10.143.34.1 255.255.255.0 standby 10.143.34.2
interface Vlan235
nameif XX
security-level 80
ip address 10.143.35.1 255.255.255.0 standby 10.143.35.2
interface Vlan236
nameif XXX
security-level 80
ip address 10.143.36.1 255.255.255.0 standby 10.143.36.2
interface Vlan250
description LAN Failover Interface
interface Vlan254
nameif TEST
security-level 80
ip address 10.143.254.1 255.255.255.0 standby 10.143.254.2
interface Vlan255
nameif XXX
security-level 100
ip address 10.143.255.1 255.255.255.0 standby 10.143.255.2
object network obj_any
subnet 0.0.0.0 0.0.0.0
object network XXX
subnet 10.143.14.0 255.255.255.0
object network XXX
subnet 10.143.35.0 255.255.255.0
object network XXX
subnet 10.143.1.0 255.255.255.0
object network MGMT
subnet 10.143.32.0 255.255.255.0
object network XXX
subnet 10.143.36.0 255.255.255.0
object network XXX
subnet 10.143.4.0 255.255.252.0
object network XXX
subnet 10.143.33.0 255.255.255.0
object network ACCT
subnet 10.143.34.0 255.255.255.0
object network XXX
subnet 10.143.0.0 255.255.255.0
object network XXX
subnet 10.143.8.0 255.255.255.0
object network XXX
subnet 10.143.12.0 255.255.255.0
object network XXX
subnet 10.143.37.0 255.255.255.0
object network TEST
subnet 10.143.254.0 255.255.255.0
object network XXX
subnet 10.143.255.0 255.255.255.0
object network NETWORK_OBJ_10.143.0.0_16
subnet 10.143.0.0 255.255.0.0
object network NETWORK_OBJ_10.91.0.0_16
subnet 10.91.0.0 255.255.0.0
object-group network vpn-local-network
network-object 10.143.14.0 255.255.255.0
network-object 10.143.35.0 255.255.255.0
network-object 10.143.1.0 255.255.255.0
network-object 10.143.32.0 255.255.255.0
network-object 10.143.36.0 255.255.255.0
network-object 10.143.4.0 255.255.255.0
network-object 10.143.33.0 255.255.255.0
network-object 10.143.34.0 255.255.255.0
object-group network vpn-remote-network
network-object 10.112.0.0 255.255.0.0
access-list ACL_VPN extended permit ip 10.143.0.0 255.255.0.0 10.112.0.0 255.255.0.0
access-list ACL_INSIDE_NONAT extended permit ip 10.143.0.0 255.255.0.0 10.112.0.0 255.255.0.0
access-list PING extended permit icmp any any
access-list PING extended permit icmp any any object-group ALLOW_PING
pager lines 24
logging asdm informational
mtu outside 1500
failover
failover lan unit primary
failover lan interface FAILOVER Vlan250
failover interface ip FAILOVER 10.143.250.1 255.255.255.0 standby 10.143.250.2
no monitor-interface outside
no monitor-interface OUTSIDE_BACK
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-721.bin
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
nat (XXX,outside) source dynamic XXX interface
nat (XXX,outside) source dynamic XXX interface
nat (XXX,outside) source dynamic XXX interface
nat (XXX,outside) source dynamic XXX interface
nat (XXX,outside) source dynamic XXX interface
nat (XXX,outside) source dynamic XXX interface
nat (XX,outside) source dynamic XXX interface
nat (XXX,outside) source dynamic XXX interface
nat (XXX,outside) source dynamic XX interface
nat(IT,outside) source dynamic IT interface
nat (TEST,outside) source dynamic TEST interface
nat ( IT,outside) source dynamic IT interface
nat (TEST,outside) source static vpn-local-network vpn-local-network destination static vpn-remote-network vpn-remote-network no-proxy-arp route-lookup
access-group PING in interface outside
access-group PING in interface OUTSIDE_BACK
route outside 0.0.0.0 0.0.0.0 81.XXX.XXX.XXX.XXX 1 track 1
route OUTSIDE_BACK 0.0.0.0 0.0.0.0 41.XXXX
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
no snmp-server location
no snmp-server contact
sysopt connection preserve-vpn-flows
sla monitor 123
type echo protocol ipIcmpEcho 41.xxx.xxx.xxx interface outside
frequency 10
sla monitor schedule 123 life forever start-time now
crypto ipsec ikev1 transform-set ESP-3DES-ESP-MD5-HMAC esp-3des esp-md5-hmac
crypto ipsec security-association pmtu-aging infinite
crypto map TEST 1 match address ACL_VPN
crypto map TEST 1 set peer 194.XXX.XXX.XXX
crypto map TEST 1 set ikev1 transform-set ESP-3DES-ESP-MD5-HMAC
crypto map TEST 1 set security-association lifetime seconds 86400
crypto map TEST 1 set security-association lifetime kilobytes 2147483647
crypto map TEST interface outside
crypto ca trustpool policy
no crypto isakmp nat-traversal
crypto ikev1 enable outside
crypto ikev1 policy 1
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
track 1 rtr 123 reachability
telnet timeout 5
ssh stricthostkeycheck
ssh 10.143.255.0 255.255.255.0 IT
ssh timeout 10
ssh key-exchange group dh-group1-sha1
console timeout 60
management-access IT
dhcpd lease 60000
dhcpd ping_timeout 20
dhcpd domain tls.ad
dhcpd auto_config outside
dhcpd address 10.143.4.10-10.143.4.200 XXX
dhcpd dns 10.91.0.34 8.8.8.8 interface XXX
dhcpd option 3 ip 10.143.4.1 interface XXX
dhcpd enable XXX
dhcpd address 10.143.12.10-10.143.12.200 XXX
dhcpd option 3 ip 10.143.12.1 interface XXX
dhcpd enable XXX
dhcpd address 10.143.14.10-10.143.14.200 XXX
dhcpd option 3 ip 10.143.14.1 interface XXX
dhcpd enable XXX
dhcpd address 10.143.32.10-10.143.32.100 MNGT
dhcpd option 3 ip 10.143.32.1 interface MNGT
dhcpd enable MNGT
dhcpd address 10.143.33.10-10.143.33.100 XXX
dhcpd option 3 ip 10.143.32.1 interface XXX
dhcpd enable XXX
dhcpd address 10.143.34.10-10.143.34.100 XXX
dhcpd option 3 ip 10.143.32.1 interface XXX
dhcpd enable XXX
dhcpd address 10.143.36.10-10.143.36.100 XXX
dhcpd option 3 ip 10.143.32.1 interface XXX
dhcpd enable XXX
dhcpd address 10.143.255.10-10.143.255.200 XXX
dhcpd option 3 ip 10.143.255.1 interface XXX
dhcpd enable IT
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp authenticate
ntp server 10.90.0.34
ntp server 10.91.0.34
ssl encryption rc4-sha1 aes128-sha1 aes256-sha1 3des-sha1
group-policy DfltGrpPolicy attributes
vpn-idle-timeout none
vpn-tunnel-protocol ikev1 l2tp-ipsec ssl-clientless
username tlsnimda password OW03yrp6/wvkyg6E encrypted
tunnel-group 194.XXX.XXX.XXX type ipsec-l2l
tunnel-group 194.XXX.XXX.XXX ipsec-attributes
ikev1 pre-shared-key *****
class-map icmp
match default-inspection-traffic
policy-map icmppolicy
class icmp
inspect icmp
service-policy icmppolicy interface outside
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:e820e629c3cbaf67478c065440ac8138
VPN is up but not passing any traffing
Crypto map tag: TEST, seq num: 1, local addr: 81.xxx.xxx.xxx
access-list ACL_VPN extended permit ip 10.143.0.0 255.255.0.0 10.112.0.0 255.255.0.0
local ident (addr/mask/prot/port): (10.143.0.0/255.255.0.0/0/0)
remote ident (addr/mask/prot/port): (10.112.0.0/255.255.0.0/0/0)
current_peer: 194.xxx.xxx.xxx
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 10, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#TFC rcvd: 0, #TFC sent: 0
#Valid ICMP Errors rcvd: 0, #Invalid ICMP Errors rcvd: 0
#send errors: 0, #recv errors: 10
local crypto endpt.: 81.xxx.xxx.xxx/0, remote crypto endpt.: 194.xxx.xxx.xx/0
path mtu 1500, ipsec overhead 58(36), media mtu 1500
PMTU time remaining (sec): 0, DF policy: copy-df
ICMP error validation: disabled, TFC packets: disabled
current outbound spi: CC4FACB7
current inbound spi : D8C0AC76
inbound esp sas:
spi: 0xD8C0AC76 (3636505718)
transform: esp-3des esp-md5-hmac no compression
in use settings ={L2L, Tunnel, IKEv1, }
slot: 0, conn_id: 9367552, crypto-map: TEST
sa timing: remaining key lifetime (kB/sec): (1824522239/3507)
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
outbound esp sas:
spi: 0xCC4FACB7 (3427773623)
transform: esp-3des esp-md5-hmac no compression
in use settings ={L2L, Tunnel, IKEv1, }
slot: 0, conn_id: 9367552, crypto-map: TEST
sa timing: remaining key lifetime (kB/sec): (1824522239/3507)
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
VPN is unstable
Connection terminated for peer 194.XXX.XXX.XX. Reason: Peer Terminate Remote Proxy 10.112.0.0, Local Proxy 10.143.0.0
I cannot pass any traffic through the vpn when it's UP, or ping the other side.
ASA VERSION 9.2I do not think that'll be any problem. Here at work we also use Cisco ADSL 800 Series with vpn between customers' sites without any issues. The ASA should vpn for sure.
-
LTE in Germany using Telekom/Vodafone LAN-to-LAN tunnel
Hello !
We habe some locations with very slow DSL connetion (< 200 kbit). Some services need direct vpn-connection to the datacenter and some RDP access etc. - the networks are connceted with LAN-to-LAN ipsec tunnel. Work's fine with slow speed.
Now we like to set up one side with LTE. Did someone set up ipsec with one side via LTE via Telekom or Vodafone in Germany ?PIN:
router#cellular 0/2/0 gsm sim unlock 6543
Create the profile:
router#cellular 0/2/0 gsm profile create 1 apnname.net
AT command is
ATD*gprs_sc*CID#
or
ATDT*gprs_sc*CID#
where gprs_sc (GPRS service code) is 99, but 98 can also work. T-Mobile says 99, Cisco docs contain 98.
Some modem manual says:
99 (GPRS Service Code) a digit string (value 99) that identifies a
request to use the Packet Domain service.
98 (GPRS Service Code) a digit string (value 98) that identifies a
request to use the IP service
CID (PDP Context Identifier) is the connection profile number (see show cellular 0/2/0 profile ), number between 1..16 This profile contains the APN name.
Typical AT command is: ATD*99*1#*
(Or simply *99# , default CID is obviously 1 )
I don't think you need a chat-script:
interface Cellular0/1/0
no ip address
encapsulation ppp
load-interval 30
dialer in-band
dialer pool-member 1
dialer-group 1
async mode interactive
interface Dialer0
ip address negotiated,
no ip redirects
no ip proxy-arp
encapsulation ppp
load-interval 30
dialer pool 1
dialer idle-timeout 0
dialer string "*99*1#"
dialer persistent
dialer-group 1
no cdp enable
ppp pfc local forbid
ppp pfc remote reject
ppp acfc local forbid
ppp acfc remote reject
ppp eap refuse
ppp eap local
ppp chap refuse
ppp ms-chap refuse
ppp ms-chap-v2 refuse
ppp pap refuse
ppp ipcp address accept
dialer-list 1 protocol ip permit
Troubleshooting:
sh int cell0/0/0
sh cell 0/0/0 all
(config)#service internal
(config)#exit
#test cellular 0/0/0 modem-power-cycle -
Site to Site VPN Between Two ASA 5505's Up But Not Passing Traffic
hello,
i am setting up a site to site vpn between two asa 5505's. the tunnel is up but i cannot get it to pass traffic and i have run out of ideas at this point. i am on site as i am posting this question and only have about 4 hours left to figure this out, so any help asap is greatly appreciated. i'll post the configs below along with the output of sh crypto isakmp sa and sh ipsec sa.
FYI the asa's are different versions, one is 9.2 the other is 8.2
Note: 1.1.1.1 = public ip for Site A 2.2.2.2 = public ip for site B
Site A running config:
Result of the command: "sh run"
: Saved
ASA Version 8.2(2)
hostname csol-asa
enable password WI19w3dXj6ANP8c6 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
name 192.168.1.0 san_antonio_inside
interface Vlan1
nameif inside
security-level 100
ip address 192.168.2.1 255.255.255.0
interface Vlan2
nameif outside
security-level 0
ip address 1.1.1.1 255.255.255.248
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
ftp mode passive
dns domain-lookup inside
dns server-group DefaultDNS
name-server 24.93.41.125
name-server 24.93.41.126
object-group network NETWORK_OBJ_192.168.2.0_24
access-list inside_access_out extended permit ip any any
access-list outside_access_out extended permit ip any any
access-list outside_access_in extended permit icmp any any
access-list outside_access_in_1 extended permit icmp any interface outside
access-list outside_access_in_1 extended permit tcp any interface outside eq pop3
access-list outside_access_in_1 extended permit tcp any interface outside eq 8100
access-list outside_access_in_1 extended permit udp any interface outside eq 8100
access-list outside_access_in_1 extended permit udp any interface outside eq 1025
access-list outside_access_in_1 extended permit tcp any interface outside eq 1025
access-list outside_access_in_1 extended permit tcp any interface outside eq 5020
access-list outside_access_in_1 extended permit tcp any interface outside eq 8080
access-list outside_access_in_1 extended permit tcp any interface outside eq www
access-list outside_access_in_1 extended permit ip san_antonio_inside 255.255.255.0 any
access-list outside_1_cryptomap extended permit ip 192.168.2.0 255.255.255.0 host san_antonio_inside
access-list outside_1_cryptomap_1 extended permit ip 192.168.2.0 255.255.255.0 san_antonio_inside 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.2.0 255.255.255.0 san_antonio_inside 255.255.255.0
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
nat-control
global (inside) 2 interface
global (outside) 101 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 101 0.0.0.0 0.0.0.0
static (inside,outside) tcp interface pop3 192.168.2.249 pop3 netmask 255.255.255.255
static (inside,outside) tcp interface 8100 192.168.2.161 8100 netmask 255.255.255.255
static (inside,outside) udp interface 8100 192.168.2.161 8100 netmask 255.255.255.255
static (inside,outside) udp interface 1025 192.168.2.161 1025 netmask 255.255.255.255
static (inside,outside) tcp interface 5020 192.168.2.8 5020 netmask 255.255.255.255
static (inside,outside) tcp interface 8080 192.168.2.251 8080 netmask 255.255.255.255
static (inside,inside) tcp interface www 192.168.2.8 www netmask 255.255.255.255
static (inside,outside) tcp interface 1025 192.168.2.161 1025 netmask 255.255.255.255
access-group inside_access_out out interface inside
access-group outside_access_in_1 in interface outside
route outside 0.0.0.0 0.0.0.0 1.1.1.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.2.0 255.255.255.0 inside
http 2.2.2.2 255.255.255.255 outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-AES-128-SHA-TRANS esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA-TRANS mode transport
crypto ipsec transform-set ESP-AES-128-MD5-TRANS esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-AES-128-MD5-TRANS mode transport
crypto ipsec transform-set ESP-AES-192-SHA-TRANS esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA-TRANS mode transport
crypto ipsec transform-set ESP-AES-192-MD5-TRANS esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5-TRANS mode transport
crypto ipsec transform-set ESP-AES-256-SHA-TRANS esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-256-SHA-TRANS mode transport
crypto ipsec transform-set ESP-AES-256-MD5-TRANS esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-MD5-TRANS mode transport
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA-TRANS esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA-TRANS mode transport
crypto ipsec transform-set ESP-3DES-MD5-TRANS esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5-TRANS mode transport
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA-TRANS esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-SHA-TRANS mode transport
crypto ipsec transform-set ESP-DES-MD5-TRANS esp-des esp-md5-hmac
crypto ipsec transform-set ESP-DES-MD5-TRANS mode transport
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map outside_map1 1 match address outside_1_cryptomap_1
crypto map outside_map1 1 set peer 2.2.2.2
crypto map outside_map1 1 set transform-set ESP-3DES-SHA
crypto map outside_map1 interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 192.168.2.30-192.168.2.155 inside
dhcpd dns 24.93.41.125 24.93.41.126 interface inside
dhcpd domain corporatesolutionsfw.local interface inside
dhcpd enable inside
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
anyconnect-essentials
group-policy DfltGrpPolicy attributes
tunnel-group 2.2.2.2 type ipsec-l2l
tunnel-group 2.2.2.2 ipsec-attributes
pre-shared-key *****
prompt hostname context
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email [email protected]
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:021cf43a4211a99232849372c380dda2
: end
Site A sh crypto isakmp sa:
Active SA: 1
Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1
1 IKE Peer: 2.2.2.2
Type : L2L Role : responder
Rekey : no State : MM_ACTIVE
Site A sh ipsec sa:
Result of the command: "sh ipsec sa"
interface: outside
Crypto map tag: outside_map1, seq num: 1, local addr: 1.1.1.1
access-list outside_1_cryptomap_1 extended permit ip 192.168.2.0 255.255.255.0 192.168.1.0 255.255.255.0
local ident (addr/mask/prot/port): (192.168.2.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (san_antonio_inside/255.255.255.0/0/0)
current_peer: 2.2.2.2
#pkts encaps: 1, #pkts encrypt: 1, #pkts digest: 1
#pkts decaps: 239, #pkts decrypt: 239, #pkts verify: 239
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 1, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: 1.1.1.1, remote crypto endpt.: 71.40.110.179
path mtu 1500, ipsec overhead 58, media mtu 1500
current outbound spi: C1074C40
current inbound spi : B21273A9
inbound esp sas:
spi: 0xB21273A9 (2987553705)
transform: esp-3des esp-sha-hmac no compression
in use settings ={L2L, Tunnel, }
slot: 0, conn_id: 1691648, crypto-map: outside_map1
sa timing: remaining key lifetime (kB/sec): (3914989/27694)
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0xFFFFFFFF 0xFFFFFFFF
outbound esp sas:
spi: 0xC1074C40 (3238480960)
transform: esp-3des esp-sha-hmac no compression
in use settings ={L2L, Tunnel, }
slot: 0, conn_id: 1691648, crypto-map: outside_map1
sa timing: remaining key lifetime (kB/sec): (3914999/27694)
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
Site B running config:
Result of the command: "sh run"
: Saved
: Serial Number: JMX184640WY
: Hardware: ASA5505, 512 MB RAM, CPU Geode 500 MHz
ASA Version 9.2(2)4
hostname CSOLSAASA
enable password WI19w3dXj6ANP8c6 encrypted
xlate per-session deny tcp any4 any4
xlate per-session deny tcp any4 any6
xlate per-session deny tcp any6 any4
xlate per-session deny tcp any6 any6
xlate per-session deny udp any4 any4 eq domain
xlate per-session deny udp any4 any6 eq domain
xlate per-session deny udp any6 any4 eq domain
xlate per-session deny udp any6 any6 eq domain
names
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
interface Vlan1
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
interface Vlan2
nameif outside
security-level 0
ip address 2.2.2.2 255.255.255.248
ftp mode passive
object network NETWORK_OBJ_192.168.1.0_24
subnet 192.168.1.0 255.255.255.0
object network mcallen_network
subnet 192.168.2.0 255.255.255.0
access-list outside_cryptomap extended permit ip object NETWORK_OBJ_192.168.1.0_24 object mcallen_network
access-list outside_access_in extended permit ip object mcallen_network 192.168.1.0 255.255.255.0
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-731-101.bin
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
nat (inside,outside) source static NETWORK_OBJ_192.168.1.0_24 NETWORK_OBJ_192.168.1.0_24 destination static mcallen_network mcallen_network no-proxy-arp route-lookup
nat (inside,outside) after-auto source dynamic any interface
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 2.2.2.2 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS mode transport
crypto ipsec ikev2 ipsec-proposal DES
protocol esp encryption des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal 3DES
protocol esp encryption 3des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES
protocol esp encryption aes
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES192
protocol esp encryption aes-192
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES256
protocol esp encryption aes-256
protocol esp integrity sha-1 md5
crypto ipsec security-association pmtu-aging infinite
crypto map outside_map3 1 match address outside_cryptomap
crypto map outside_map3 1 set peer 1.1.1.1
crypto map outside_map3 1 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map3 interface outside
crypto ca trustpool policy
crypto ikev2 policy 1
encryption aes-256
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 10
encryption aes-192
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 20
encryption aes
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 30
encryption 3des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 40
encryption des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 enable outside
crypto ikev1 enable outside
crypto ikev1 policy 120
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh stricthostkeycheck
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0
dhcpd address 192.168.1.200-192.168.1.250 inside
dhcpd dns 24.93.41.125 24.93.41.126 interface inside
dhcpd domain CSOLSA.LOCAL interface inside
dhcpd enable inside
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
anyconnect-essentials
group-policy DfltGrpPolicy attributes
vpn-tunnel-protocol ikev1
tunnel-group 1.1.1.1 type ipsec-l2l
tunnel-group 1.1.1.1 ipsec-attributes
ikev1 pre-shared-key *****
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email [email protected]
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:4e058021a6e84ac7956dca0e5a143b8d
: end
Site B sh crypto isakmp sa:
Result of the command: "sh crypto isakmp sa"
IKEv1 SAs:
Active SA: 1
Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1
1 IKE Peer: 1.1.1.1
Type : L2L Role : initiator
Rekey : no State : MM_ACTIVE
There are no IKEv2 SAs
Site B sh ipsec sa:
Result of the command: "sh ipsec sa"
interface: outside
Crypto map tag: outside_map3, seq num: 1, local addr: 71.40.110.179
access-list outside_cryptomap extended permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0
local ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (192.168.2.0/255.255.255.0/0/0)
current_peer: 1.1.1.1
#pkts encaps: 286, #pkts encrypt: 286, #pkts digest: 286
#pkts decaps: 1, #pkts decrypt: 1, #pkts verify: 1
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 286, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#TFC rcvd: 0, #TFC sent: 0
#Valid ICMP Errors rcvd: 0, #Invalid ICMP Errors rcvd: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: 2.2.2.2/0, remote crypto endpt.: 1.1.1.1/0
path mtu 1500, ipsec overhead 58(36), media mtu 1500
PMTU time remaining (sec): 0, DF policy: copy-df
ICMP error validation: disabled, TFC packets: disabled
current outbound spi: B21273A9
current inbound spi : C1074C40
inbound esp sas:
spi: 0xC1074C40 (3238480960)
transform: esp-3des esp-sha-hmac no compression
in use settings ={L2L, Tunnel, IKEv1, }
slot: 0, conn_id: 28672, crypto-map: outside_map3
sa timing: remaining key lifetime (kB/sec): (4373999/27456)
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000003
outbound esp sas:
spi: 0xB21273A9 (2987553705)
transform: esp-3des esp-sha-hmac no compression
in use settings ={L2L, Tunnel, IKEv1, }
slot: 0, conn_id: 28672, crypto-map: outside_map3
sa timing: remaining key lifetime (kB/sec): (4373987/27456)
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001Hi Keegan,
Your tunnel is up and encrypting traffic one way, the other end is not able to encrypt the traffic.
I would suggest to do a 'clear xlate'? Sometimes if you setup the nonat configuration after you've attempted other configurations, you need to 'clear xlate' before the previous NAT configuration is cleared and the new one works.
HTH
"Please rate useful posts" -
LAN Lite, LAN Base, IP Base, and IP Service Image of Switching.
Dear all,
Please kindly help me what is differenct between LAN Lite, LAN Base, IP Base, and IP Service Image of Switching.
Hope see all of your feedback soon.Thanks!
KIND Regards,
SirenHere is a white paper on difference between LAN base, IP base and IP services. Note that LAN lite switches have different hardware and can't be upgraded to a more capable image.
http://www.cisco.com/en/US/prod/collateral/switches/ps5718/ps6406/white_paper_c11-579326_ps10745_Products_White_Paper.html
This paper compares LAN lite vs LAN base for 2960:
http://www.cisco.com/en/US/prod/collateral/switches/ps5718/ps6406/prod_presentation_c97-494780.pdf
Daniel Dib
CCIE #37149 -
I have a dilemma. We have a LAN 2 LAN with a remote site and I need somehow NAT their subnet with and address pool on my side so I can route this traffic elsewhere where there is a conflicting network. I have an ASA 5510 on this side and they are running a PIX something or another.
I can see where to create a pool but how can I tell the ASA to assign that pool to the addresses in that LAN 2 LAN?L2L VPNs do not use 'pools'. You have to define the interesting traffic using Crypto Access-Lists. In case of NAT, you can put the translated IPs in the access-list as per the below example:
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00808c9950.shtml
And this is an example on IOS:
http://www.cisco.com/en/US/products/ps5855/products_configuration_example09186a0080a0ece4.shtml
Regards
Farrukh -
VPN between ASA 5500 and Cisco 871
Hello.
I recently bought a Cisco 871 and an ASA 5500 device. I would like to configure a VPN connection (LAN-to-LAN), and I would like some help about the ports that need to be opened into both firewalls, ASA and 871.
Thank you.Thank you. The routers where not syncronized.
I have installed on my CA server also an NTP server and everything works now.
I have one more question: how can I connect the CA server to separate zone on my ASA device? Let's say a DMZ zone?
I have 2 public IPs and I want to use one (let's say PRIMARY_IP) for the VPN tunnels, and the other one (let's call it SECONDARY_IP) for the CA server...In other words I want the SECONDARY_IP to be ?assigned? to the CA server; if someone wants to make requests for NTP, or SCEP, or ...let's say TFTP to the SECONDARY_IP, those requests to be forwarded behind the ASA, to the CA.
Can you help me? -
Persistent VPN between PIX 501 and ASA 5505
I am a networking newbie with 2 small retail stores. I would like to create a persistent VPN between the stores. I already have a PIX 501 firewall, and I am looking at getting an ASA 5505. Would I have any problems creating a persistent VPN between these two firewalls?
No problems whatsoever :-)
There are loads of examples for the config on the Cisco website, and basically these boxes can run exactly the same software, so the config on each is virtually the same. Main difference is the ASA defines the interfaces in a different way. Even if you have different versions of software, say 6.3 on the PIX and 7.2 on the ASA they will still work fine for the VPN, just the configs will be a lot more different. Hope this helps to remove any worries you had?
Maybe you are looking for
-
How to get my display screen to roll
I am not able to get my iphone to display apps in both directions, up and down and sideways. Some do, however some don't like Facebook.
-
Just purchased MBP with OSX 10.8.5....
I bought this off of eBay and I love it. I also purchased a old iMac that has Snow Leopard 10.6.3 on it. I read that when you purchase and download the OS through the App Store that you can put it on all of your computers. Since the MBP came with it
-
Trying to reinstall Design Premium 5.5 on a Mac OSX 10.7.5 - once downloaded to my computer it will not install due to error message "Install" can't be opened. You should eject the disk image. Thanks
-
Headphones and speakers playing at the same time on Win 8.1
When I plug in a headphone to my laptop the speakers don't cut out, both headphones and speakers play at the same time instead of one cutting out automatically.
-
Satellite C850D - touchpad is acting very strange
Satellite C850D Touch pad way to sensitive3 or broke keeps flipping over pages when touching pad very annoying